Preface: SIMATIC WinCC is a supervisory control and data acquisition (SCADA) and human-machine interface (HMI) system from Siemens. SCADA systems are used to monitor and control physical processes involved in industry and infrastructure on a large scale and over long distances. SIMATIC WinCC can be used in combination with Siemens controllers. WinCC is written for the Microsoft Windows operating system.[1][2] It uses Microsoft SQL Server for logging and comes with a VBScript and ANSI C application programming interface.

Background: The User Management Component (UMC) enables the system-wide, central maintenance of users with an optional connection to Microsoft Active Directories.

The User Management Component (UMC) enables the system-wide, central maintenance of users with an optional connection to Microsoft Active Directories. UMC allows the establishment of central user management. This means that you can define and manage users and user groups across software and devices. Users and user groups can also be transferred from a Microsoft Active Directory (AD).

The following applications are connected to UMC: SINEMA RC, SINEC NMS, WinCC Unified, TIA Portal & WinCC Runtime Advanced

Vulnerability details: A vulnerability has been identified in Opcenter Execution Foundation (All versions), Opcenter Intelligence (All versions), Opcenter Quality (All versions), Opcenter RDL (All versions), SIMATIC PCS neo V4.0 (All versions), SIMATIC PCS neo V4.1 (All versions), SIMATIC PCS neo V5.0 (All versions < V5.0 Update 1), SINEC NMS (All versions if operated in conjunction with UMC < V2.15), Totally Integrated Automation Portal (TIA Portal) V16 (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (All versions), Totally Integrated Automation Portal (TIA Portal) V18 (All versions), Totally Integrated Automation Portal (TIA Portal) V19 (All versions). Affected products contain a heap-based buffer overflow vulnerability in the integrated UMC component.
This could allow an unauthenticated remote attacker to execute arbitrary code.

Official announcement: Please refer to the link for details –

https://cert-portal.siemens.com/productcert/html/ssa-928984.html?ste_sid=ee8ee88d412b10e86a45542d24a25db6

Preface: In computing, an oops is a serious but non-fatal error in the Linux kernel. An oops may precede a kernel panic, but it may also allow continued operation with compromised reliability.

Background: The Internet Communication Manager ensures that communication between the SAP System (SAP NetWeaver Application Server) and the outside world via HTTP, HTTPS and SMTP protocols works properly. In its role as a server, the ICM can process requests from the Internet that arrive as URLs with the server/port combination that the ICM can listen to. The ICM then calls the relevant local handler for the URL in question.

Vulnerability details:

SAP NetWeaver Application Server for ABAP is affected by NULL pointer dereference vulnerability:
SAP NetWeaver Application Server for ABAP and ABAP Platform allows an unauthenticated attacker to send a maliciously crafted http request which could cause a null pointer dereference in the kernel. This dereference will result in the system crashing and rebooting, causing the system to be temporarily unavailable. There is no impact on Confidentiality or Integrity. (CVE-2024-47586)

Official announcement: SAP Security Patch Day – December 2024.

Please refer to the link for details – https://support.sap.com/en/my-support/knowledge-base/security-notes-news/december-2024.html

Preface: The Go language is also developed on fsnotify, but the file extension is fsnotify[.]go. fsnotify is a Go library to provide cross-platform filesystem notifications on Windows, Linux, macOS, BSD, and illumos. Go 1.17 or newer is .

Background: In Linux, fsnotify is actually implemented based on the inotify system call. inotify is a subsystem of Linux VFS, which can monitor changes in the file system. When the file system changes, the kernel will notify the user space of these changes, and the user space can do something based on these changes.

Vulnerability details: Fix ordering of iput() and watched_objects decrement. Ensure the superblock is kept alive until we’re done with iput(). Holding a reference to an inode is not allowed unless we ensure the superblock stays alive, which fsnotify does by keeping the watched_objects count elevated, so iput() must happen before the watched_objects decrement. This can lead to a UAF of something like sb->s_fs_info in tmpfs, but the UAF is hard to hit because race orderings that oops are more likely, thanks to the CHECK_DATA_CORRUPTION() block in generic_shutdown_super(). Also, ensure that fsnotify_put_sb_watched_objects() doesn’t call fsnotify_sb_watched_objects() on a superblock that may have already been freed, which would cause a UAF read of sb->s_fsnotify_info.

Official announcement: Please see the link below for details –

https://nvd.nist.gov/vuln/detail/CVE-2024-53143

Preface: Yes, it is possible to develop an Android app using C++. While Java and Kotlin are the recommended languages for Android development. Many memory manipulation functions in C and C++ do not perform bounds checking and can easily overwrite the allocated bounds of the buffers they operate upon.

Background: Skia Graphics Library (SGL) is an open source graphics library written in C++. It was originally developed by Skia Company and was open sourced under the New BSD License after being acquired by Google. The first product developed by Skia is the Skia Graphics Library, which can render high-quality 2D graphics on low-end devices such as mobile phones. As of 2017, it is used in Android, Google Chrome, Chrome OS, Chromium OS, Mozilla Firefox, Firefox OS, and Sublime Text.

Vulnerability details: This vulnerability lead to remote code execution with no additional execution privileges needed. It is related to size overflow when allocating SkMask data.

Official announcement: Please see the link below for details –

https://source.android.com/docs/security/bulletin/2024-12-01

Preface: Primitive types such as `int`, `double`, `char`, and `boolean` are stored directly in stack memory. Each time you declare a primitive variable, the JVM allocates a specific size of memory for it.

Background: Returns the available average/minimum GPU headroom in percentage for last ‘duration’ seconds. The get_gpu_headroom() API is used by applications to get feedback on the historical application rendering workload to know if the workload is GPU bound on the SoC. The purpose of this API is to help provide GPU performance information for the application content and help drive the workload, and other APIs to ensure smooth and sustained UX performance (minimize frame drops, reduce UI sluggishness). The application can monitor thermal. If the mobile device is approaching thermal limits; it can further check if the workload is GPU bound to decide if reducing the GPU load helps to reduce thermal status (<= LIGHT) and hence improve sustained performance.

Vulnerability details: Memory corruption when invalid input is passed to invoke GPU Headroom API call.

Remark: A stack–based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack.

Official announcement: Please see the link below for details –

https://nvd.nist.gov/vuln/detail/CVE-2024-43048

Preface: What is a buffer over-read? The opposite of a buffer overflow is a buffer overread. In this case, the program requests data from outside the buffer. Because data read from outside the buffer is irrelevant to the program, it may cause the program to crash or behave unexpectedly.

Background: Qualcomm SoC chips are divided into 4 layers, including EL3, EL2, EL1 and EL0. Both EL3 and EL2 are handled by Qualcomm. However, EL 1 is divided into two regions. The Linux core is open source. The remaining non-secure and secure areas will be the responsibility of Qualcomm. The upper level (ELO) is the developer application area (Except the secure area).

Vulnerability details: Memory corruption when allocating and accessing an entry in an SMEM partition continuously.

Remark: The MProc component located inside the kernel is responsible for managing inter-processor communication.

Official announcement: Please see the link below for details –

https://nvd.nist.gov/vuln/detail/CVE-2024-33056